Mobile Devices

Apple's iOS 6.1 is Vulnerable to Attack

As Apple continues to add new features to v6.1 of its operating system, iOS, researchers are finding vulnerabilities to the Apple OS. Reports suggest attackers have found ways to bypass code lock.

In fact, according to Vulnerability Lab CEO Benjamin Kunz Mejri, attackers can get past the lock screen and access a user's contacts, voicemail and more, reported Ars Technica.

Per Mejri’s investigation, the new bug appears to be slightly different from the one highlighted earlier this month, wrote Jacqui Cheng, Ars Technica’s Apple editor. The two versions of this vulnerability start out in a similar way, reportedly following a set of steps that utilizes the Emergency Call function in addition to the lock/sleep button and the screenshot feature.

“When making an emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone,” Cheng wrote.

The key difference between the first attack and the present one is that it can make the iPhone screen go black, allowing an attacker to plug the device into a computer via USB and access the user's data without having their PIN or passcode credentials.

"The vulnerability is located in the main login module of the mobile iOS device (iPhone or iPad) when processing to use the screenshot function in combination with the emergency call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs," Mejri wrote. "The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access and information disclosure."

Reports indicate that a version of the passcode bypass bug first appeared in iOS 2.0, and then again in iOS 4.1, with a slightly more complex series of steps. The most recent version of the bug appeared in iOS 6.1, but now it turns out there are two versions of this vulnerability in 6.1.